Intranet Security

The Southern Adventist University network is divided into security zones to maintain separation among internal university networks and the Internet. The Intranet zone, comprising computers and servers containing confidential and proprietary data, is subject to stricter rules. This policy defines these rules and augments the Network Usage Policy for computers and users.

Firewall Restrictions

The firewall is configured so computers outside the Intranet zone cannot initiate connections to computers inside the zone.

Specific exceptions to the above rule may be granted for academic or administrative needs. Requests are made in writing to the executive director of information systems, and should include rational, security precautions, a specific IP address, port connections, and a time limit if applicable. Information Systems studies the security implications of the request and grants access only when the integrity of the network can be maintained.

Exceptions will be reviewed during the annual security audit (see below).

Backup and Recovery

All servers connected to the Intranet zone must participate in the centralized backup system as outlined in the Backup and Recovery Policy.

Users of workstations in this zone have private storage space on a centralized server for backing up university data contained on the local machine. In case of disaster, files can be restored according to the Backup and Recovery Policy.

Operating Systems and Software

Workstations must have Windows 2000 or above installed as the operating system.

Workstations and servers must not use remote access software that is configured for access directly by modem. Users needing remote access to internal resources should contact Information Systems about VPN connections.

User Responsibility

Users should not share their passwords with anyone. No one, including Information System employees, has authorization to ask for a password. Passwords should be changed from time to time and should be memorized in order to avoid the need to write them down.

If workstations are left unattended, users should log out of all administrative software and log out of their account on the machine.

Intranet servers are to be used primarily for university data and not personal files. Users will be required to provide an explanation for excessive use of Intranet storage space.

Users should report to Information Systems any suspected security violations, security problems, or suspicious behavior as it relates to computer security.

Security Audit

Information Systems staff will annually audit security on the Intranet zone. This audit will include network scanning of all workstations, review of server configurations, reevaluation of firewall rules, testing of backup and recovery procedures, and review of this policy as outlined below.

Policy evaluation and review

This policy will be reviewed annually to ensure that it is relevant, serves the needs and priorities of the institution, and is consistent with current trends in information technology. The following process will be followed:

Information Systems Networking Staff reviews this policy before the May meeting of the Information Technology Advisory Committee. Additional input will be solicited from members of this committee.